CN112398741A - Method for learning routing, method, equipment and storage medium for forwarding message - Google Patents

Method for learning routing, method, equipment and storage medium for forwarding message Download PDF

Info

Publication number
CN112398741A
CN112398741A CN201910988765.3A CN201910988765A CN112398741A CN 112398741 A CN112398741 A CN 112398741A CN 201910988765 A CN201910988765 A CN 201910988765A CN 112398741 A CN112398741 A CN 112398741A
Authority
CN
China
Prior art keywords
belongs
target area
network device
area
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910988765.3A
Other languages
Chinese (zh)
Other versions
CN112398741B (en
Inventor
王海波
庄顺万
闫刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to EP20852148.4A priority Critical patent/EP4016941A4/en
Priority to PCT/CN2020/109315 priority patent/WO2021027941A1/en
Publication of CN112398741A publication Critical patent/CN112398741A/en
Priority to US17/671,695 priority patent/US11799756B2/en
Application granted granted Critical
Publication of CN112398741B publication Critical patent/CN112398741B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/08Learning-based routing, e.g. using neural networks or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for learning a route. The method comprises the following steps: the network equipment acquires BGP routing information from BGP neighbors; when the target area to which the BGP neighbor belongs is the same as the target area to which the BGP route belongs, the network device learns BGP route information. A method for forwarding a packet. The method comprises the following steps: the network equipment receives the message through the network interface; and when the target area to which the network interface belongs is the same as the target area to which the message belongs, the network equipment forwards the message. By the method, the network equipment performs area verification after receiving BGP routing information or messages, so that the fact that real and reliable BGP routing information is learned is ensured, or the fact that the source of the forwarded messages is real and reliable is ensured, the fact that an external ISP forges BGP routing information or hijacks messages is prevented, and network safety is improved.

Description

Method for learning routing, method, equipment and storage medium for forwarding message
This application claims priority from a chinese patent application having application number 201910754931.3 entitled "a method, apparatus and system for receiving routes in a BGP network" filed on 2019, 8, 15, which is incorporated herein by reference in its entirety.
Technical Field
The present application relates to the field of communications, and in particular, to a method for learning a route, a method for forwarding a packet, a device, and a storage medium.
Background
In a network, security attacks based on Border Gateway Protocol (BGP) routing occur every day, for example, an external Internet Service Provider (ISP) may implement interception of user traffic by forging BGP routing information.
Disclosure of Invention
The application provides a method for learning routing, a method for forwarding messages, equipment and a storage medium, which are used for solving the technical problem that an external ISP forges BGP routing information and improving network security.
In a first aspect, the present application provides a method for learning a route, where the method is applied in a first network device in a border gateway protocol BGP-based network, where the network further includes a second network device, and the first network device communicates with the second network device through BGP, and the method includes: the first network equipment acquires first BGP routing information of BGP routing from the second network equipment, wherein the first BGP routing information comprises verification information; the first network equipment determines a target area to which the first BGP routing information belongs according to the verification information; when the target area to which the first BGP routing information belongs is the same as the target area to which the second network device belongs, the first network device learns the first BGP routing information.
The method may be performed by a Provider Edge (PE) device in a network. The network equipment receives BGP routing information from BGP neighbors and then conducts area verification, so that the fact that the BGP routing information is true and reliable is guaranteed to be learned, the BGP routing information is prevented from being forged by an external ISP, and network safety is improved.
In one possible design, the method further includes: when the target area to which the first BGP routing information belongs is different from the target area to which the second network device belongs, the first network device discards the first BGP routing information, that is, the first network device does not store the BGP routing information. And discarding the BGP routing information with inconsistent areas to ensure the network security.
In one possible design, the method further includes: when the target area to which the first BGP routing information belongs is different from the target area to which the second network device belongs, setting the priority of the first BGP routing information as a first priority, wherein the first priority is lower than a second priority, the priority of the second BGP routing information is a second priority, and the target area to which the second BGP routing information belongs is the same as the target area to which the second network device belongs. For the condition that the target area of the second network device is different from the target area of the BGP routing information, the BGP routing information is set to be of a lower priority, so that the BGP routing information with inconsistent target areas cannot be preferentially selected during subsequent routing, and the network security is ensured.
In one possible design, the verification information includes a first original autonomous system AS, and the determining, by the first network device, a target area to which the first BGP routing information belongs according to the verification information includes: and the first network equipment takes the target area to which the first original AS belongs AS the target area to which the first BGP routing information belongs.
In the method, network equipment in a BGP network is divided into different areas, and BGP routing information corresponds to a specific area according to an original AS carried by the BGP routing information.
In one possible design, the method further includes: the first network equipment obtains area information, wherein the area information comprises a mapping relation between identification information of the second network equipment and a target area to which the second network equipment belongs, and a mapping relation between the first original AS and the target area to which the first original AS belongs; the first network equipment determines a target area to which the second network equipment belongs according to the identification information of the second network equipment and the area information; and the first network equipment determines a target area to which the first original AS belongs according to the first original AS and the area information.
In one possible design, before the first network device learns the first BGP routing information, the method further comprises: and the first network equipment determines that the first original AS is the same AS a second original AS, wherein the second original AS is the original AS corresponding to the first BGP routing information and acquired from routing origin authorized ROA data.
In the method, before determining a target area to which BGP routing information belongs by using an original AS, a network device verifies the reliability of the original AS.
In one possible design, the target area includes an area, an area federation, or a combination of area and area federation.
In a second aspect, the present application provides a method for forwarding a packet, where the method is applied in a first network device in a border gateway protocol BGP-based network, where the first network device includes a network interface, and the method includes: the first network equipment receives a message through the network interface, wherein the message comprises a source address; the first network equipment determines a target area to which the message belongs according to the source address; and when the target area to which the network interface belongs is the same as the target area to which the message belongs, the first network equipment forwards the message.
The method may be performed by a Provider Edge (PE) device in a network. The network equipment receives the message through the network interface and then carries out area verification, the message is forwarded when the message source is ensured to be real and reliable, the external ISP is prevented from hijacking the flow of the area in a mode of forging BGP routing information, and the network safety is improved.
In one possible design, the method further includes: when the target area to which the network interface belongs is different from the target area to which the message belongs, the first network device discards the message, or the first network device records the message.
In one possible design, the determining, by the first network device, a target area to which the packet belongs according to the source address includes: and the first network equipment takes the target area to which the first original AS belongs AS the target area to which the message belongs.
In one possible design, the network further includes a second network device, the first network device in communication with the second network device through BGP, the first network device connecting the second network device through the network interface, the method further comprising: the first network device obtains area information, where the area information includes a mapping relationship between identification information of the second network device and a target area to which the network interface belongs, and a mapping relationship between the first original AS and the target area to which the first original AS belongs; the first network equipment determines a target area to which the network interface belongs according to the identification information of the second network equipment and the area information; and the first network equipment determines a target area to which the first original AS belongs according to the first original AS and the area information.
In one possible design, before the first network device forwards the packet, the method further includes: the first network device determines that the first original AS is the same AS a second original AS, and the second original AS is an original AS to which the source address acquired from Routing Origin Authorization (ROA) data belongs.
In a third aspect, the present application provides a network device, which executes the method in the first aspect or any one of the possible implementation manners of the first aspect. In particular, the network device comprises means for performing the first aspect or the method in any one of its possible implementations.
In a fourth aspect, the present application provides a network device that performs the method of the second aspect or any one of the possible implementations of the second aspect. In particular, the network device comprises means for performing the second aspect or the method in any one of its possible implementations.
In a fifth aspect, the present application provides a network device, comprising: a processor, a network interface, and a memory. The network interface may be a transceiver. The memory may be configured to store program codes, and the processor is configured to call the program codes in the memory to perform the foregoing first aspect or any one of the possible implementations of the first aspect, which is not described herein again.
In a sixth aspect, the present application provides a network device, comprising: a processor, a network interface, and a memory. The network interface may be a transceiver. The memory may be configured to store program code, and the processor is configured to call the program code in the memory to perform the foregoing second aspect or any one of the possible implementations of the second aspect, which is not described herein again.
In a seventh aspect, the present application provides a network device, including: a main control board and an interface board. The main control board includes: a first processor and a first memory. The interface board includes: a second processor, a second memory, and an interface card. The main control board is coupled with the interface board. The first memory may be configured to store program code, and the first processor is configured to call the program code in the first memory to perform the following: determining a target area to which the first BGP routing information belongs according to the verification information; and when the target area to which the first BGP routing information belongs is the same as the target area to which the second network equipment belongs, learning the first BGP routing information.
The second memory may be configured to store program code, and the second processor may be configured to invoke the program code in the second memory to trigger the interface card to perform the following: and acquiring first BGP routing information from the second network equipment, wherein the first BGP routing information comprises verification information.
In an eighth aspect, the present application provides a network device, including: a main control board and an interface board. The main control board includes: a first processor and a first memory. The interface board includes: a second processor, a second memory, and an interface card. The main control board is coupled with the interface board. The first memory may be configured to store program code, and the first processor is configured to call the program code in the first memory to perform the following: determining a target area to which the message belongs according to the source address;
the second memory may be configured to store program code, and the second processor may be configured to invoke the program code in the second memory to trigger the interface card to perform the following: receiving a message through the network interface, wherein the message comprises a source address; and when the target area to which the network interface belongs is the same as the target area to which the message belongs, forwarding the message.
In a ninth aspect, the present application provides a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform the method of the above aspects.
In a tenth aspect, the present application provides a computer program product comprising computer program instructions that, when run on a network device, cause the network device to perform the method as provided in the first aspect, the second aspect, any one of the possible implementations of the first aspect, or any one of the possible implementations of the second aspect.
In an eleventh aspect, the present application provides a chip comprising a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for calling the computer program from the memory and executing the computer program to perform the method in the first aspect and any possible implementation manner of the first aspect, or the processor performs the method in the second aspect or any possible implementation manner of the second aspect.
Optionally, the chip only includes a processor, and the processor is configured to read and execute the computer program stored in the memory, and when the computer program is executed, the processor executes the method in the first aspect or any possible implementation manner of the first aspect, or the processor executes the method in the second aspect or any possible implementation manner of the second aspect.
Drawings
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 3A is a schematic view of an application scenario provided in the embodiment of the present application;
fig. 3B is a schematic view of an application scenario provided in the embodiment of the present application;
fig. 4 is a flowchart illustrating a method for learning a route according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a method for forwarding a packet according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the accompanying drawings.
The Internet (Internet) is a vast network of networks connected in series, and the networks are connected by a set of common protocols, relying on infrastructure to ensure network connectivity, service availability and service trustworthiness. Currently the Internet infrastructure mainly consists of: border Gateway Protocol (BGP), Domain Name System (DNS), and Public Key Infrastructure (PKI). However, because the current infrastructure lacks a firm and secure root of trust, the current BGP protocol itself does not have a security authentication mechanism for learning BGP routing information, and security attacks based on BGP routing information occur every day, such as source hijacking, path hijacking, route leakage, and the like. Therefore, the Internet security problem is an urgent problem to be solved. In order to verify whether the source of the BGP routing information is correct, a Resource Public Key Infrastructure (RPKI) mechanism is introduced on the basis of the BGP protocol. And issuing information required for authenticating the BGP routing information by using an RPKI mechanism, and comparing the content carried in the BGP routing information with the information issued by the RPKI mechanism to check the legality. Specifically, information such AS an original Autonomous System (AS), a routing prefix, a mask and the like of BGP routing information initiated by each Internet Service Provider (ISP) is collected by a distributed RPKI server. Moreover, when each ISP issues BGP routing information, the original AS carrying the BGP routing information in the BGP routing information is also needed. The router establishes connection with the RPKI server, and locally stores Route Origin Authentication (ROA) data, wherein the ROA data comprises a mapping relation between BGP route information obtained from the RPKI server and an original AS. When the router receives BGP routing information issued by an external neighbor, comparing whether an original AS carried in the BGP routing information is the same AS an original AS mapped by the BGP routing information in ROA data, thereby verifying whether the BGP routing information received from the external neighbor is legal and ensuring that a host in a management domain can safely access external services.
AS shown in the network scenario of fig. 1 AS an example, the destination server (10.1.0.0/16) accesses at the ISP1 backbone and issues routing information to the external AS. The destination server belongs to AS3, and the original AS carried by the routing information is AS 3. And 10.1.0.0/16 related mapping of routing information to AS3 is also saved to the ROA data by the RPKI server. If an external ISP belonging to AS100 spoofs more accurate routing information for that server (10.1.1.0/24), the original AS carried by the routing information is AS 100. The external ISP distributes forged routing information to the ISP1 backbone. The ISP1 backbone is verified by ROA, and compares routing information related to 10.1.0.0/16-10.1.1.0/24 in an ROA database, finds that the original AS of the routing information is the AS3, and if the AS100 carried in the routing information received from the external ISP is not matched with the routing information, the routing information received from the external ISP is considered to be invalid. Namely, the verification mode verifies whether the routing information is safe and reliable by verifying whether the original AS carried in the routing information is correct.
However, this authentication method cannot protect against an attack method in which an external ISP forges an original AS. AS an example of the network scenario shown in fig. 2, the destination server (10.1.0.0/16) is accessed at an ISP1 Internet Data Center (IDC), and the AS to which the IDC belongs is AS 2. The destination server (10.1.0.0/16) issues 10.1.0.0/16 related routing information to the external AS, and the carried original AS is AS 3. Similarly, the mapping relationship between the routing information related to 10.1.0.0/16 and the AS3 is also saved in ROA data through the RPKI server. If an external ISP wants to hijack the traffic of a user accessing the server (10.1.0.0/16), 10.1.1.0/24 related routing information is forged, and the original AS which forged the routing information is AS 2. The ISP1 backbone receives 10.1.1.0/24 related routing information issued by an external ISP, and the original AS is AS 2. In this scenario, even if the ISP1 backbone is deployed with ROA and verified by the ROA, the original AS carried by the forged routing information is considered to be completely matched, and further the forged routing information is considered to be safe and reliable.
The embodiment of the application provides a method for learning a route, and equipment and a system based on the method. Embodiments of the method, apparatus and system may be referred to one another and, where the same or similar elements are not described in detail. The method increases the concept of the area, divides the AS into areas by setting the attribute of the area for the AS in the network, and then checks the learned route and the message forwarding by using the area, prohibits the route in the area from learning from the outside of the area, and prohibits the message in the area from entering and exiting the outside of the area, thereby improving the network security.
Fig. 3A shows a possible application scenario of the embodiment of the present application. The scenario includes several ASs: AS1, AS2, AS3, AS100, etc. Among them, AS3 may be the backbone of ISP1, AS1 may be the metropolitan area network of ISP1, AS2 may be the IDC of ISP1, AS4 may be the backbone of ISP2, AS5 may be the metropolitan area network of ISP2, AS6 may be the IDC of ISP2, and AS100 may be the network of an external ISP. AS3 includes Provider Edge (PE) device 1 and PE2, AS1 includes PE3, AS4 includes PE4, and AS100 includes PE 5. PE1 was linked to PE4 and PE5, PE2 and PE3, and PE4 to PE5, respectively.
The principles of dividing the AS into different areas include, but are not limited to: the sub-ISPs of an ISP that have an interconnection relationship are divided into an area, and if ISP1 also has a point of presence (POP) that is not directly interconnected with other sub-ISPs of ISP1, the POP is not divided into the area of ISP 1.
AS shown in fig. 3, AS1, AS2, and AS3 constitute region 1, and AS4, AS5, and AS6 constitute region 2. PE1 is connected to PE5 of an external ISP as ISP1 backbone outlet equipment, and PE4 is connected to ISP2 backbone outlet equipment.
After dividing the regions, each region may be assigned an identification in order to distinguish the different regions. For example, the assigned identifier may be a numeric number; by numbering each area, an area number is obtained to manage the area by the area number. For example, the area 1 and the area 2 can be managed by an area number.
In one example, multiple zones may constitute a zone federation. The regional alliance partition principle includes but is not limited to: a plurality of regions with direct interconnection relation in a region (such as a country) are divided into a regional alliance. As shown in fig. 6, the area 1 and the area 2 constitute an area federation 1.
Similarly, after the regional alliance is divided, the regional alliance number can be obtained by numbering each regional alliance, so that the regional alliance can be managed by the regional alliance number.
In the method provided by the embodiment of the present application, the dividing of the area may include dividing of the area, dividing of the area federation, or simultaneously dividing of the area and the area federation. For example, if the embodiment of the present application only partitions the region, the region association may not be partitioned. If the embodiment of the application only divides the region alliance, the region is not divided. The embodiment of the application can also divide the region and the region alliance at the same time.
The embodiments of the present application are not limited with respect to the manner in which the areas and the area affiliations are numbered. Illustratively, the number assignment of regions and the number assignment of region associations may be managed by a National Internet Registry (NIR).
In the network, the division manner of the area and/or the area alliance may be expressed as area information. The area information may include an AS number, an area number, and/or an area alliance number. For example, the area information includes: < area number, AS number >, or the area alliance information includes < area alliance number, area number >. In the method provided by the embodiment of the present application, the area information may not include BGP routing information, and at this time, the mapping relationship between the BGP routing information and the AS may be obtained by an ROA database.
The division of the area and/or the area federation and the distribution of the area information may be performed by an area data server or may be accomplished through network settings. Taking the application scenario shown in fig. 3A or fig. 3B as an example, each PE may connect to a regional data server (not shown in the figure), and the regional data server issues regional information to each PE device.
For example, for area 1 shown in fig. 3A, for which the area data server sets area number 1, the area information issued by the area data server may be <1,1> with respect to the network devices within AS1 in area 1. Wherein, the first 1 in <1,1> represents area 1, and the second 1 represents AS1, i.e. the AS to which these devices belong is AS1, and the area to which these devices belong is area 1. Similarly, the area information about the network devices in AS2 and AS3 issued by the area data server is <1,2> and <1,3>, respectively. Similarly, for area 2, the area information about the network devices within AS4, AS5, and AS6 issued by the area data server is <2,4>, <2,5>, and <2,6>, respectively.
And the network equipment determines the area to which the BGP neighbor belongs according to the area information. Taking the application scenario shown in fig. 3A as an example, PE1 determines the area to which the BGP neighbor belongs according to the area information, where the area to which PE4 belongs is area 2. PE4 determines the area to which the BGP neighbor belongs from the area information, where the area to which PE1 belongs is area 1.
For example, for the area federation 1 shown in fig. 3B, the area data server sets an area federation number 1 for it, and the area information issued by the area data server may be <1,1> with respect to the network devices in the area 1 in the area federation. Wherein, the first 1 in <1,1> represents the regional alliance 1, and the second 1 represents the region 1, that is, the regional alliance to which the devices belong is the regional alliance 1, and the region to which the devices belong is the region 1. Similarly, the area information about the network device in the area 2 issued by the area data server may be <1,2 >.
Similarly, the network device determines the area federation to which the BGP neighbor belongs based on the area information. Taking the application scenario shown in fig. 3B as an example, PE1 determines the regional federation to which the BGP neighbor belongs according to the regional information, where the regional federation to which PE4 belongs is regional federation 1. PE4 determines the regional federation to which the BGP neighbor belongs from the regional information, where the regional federation to which PE1 belongs is regional federation 1.
Optionally, the area information may be manually configured on all network devices, and at this time, an area server may not exist in the network.
By using the above-described concept of the area, the embodiments of the present application can verify the authenticity of the BGP routing information. Referring to fig. 4, an embodiment of the present application provides a method for learning a route, where the method is applied to a first network device in a BGP-based network, where the network further includes a second network device, and the first network device communicates with the second network device through BGP, and the method includes:
s210, the first network device obtains first BGP routing information from the second network device, where the first BGP routing information includes verification information.
In one example, the original AS carried in the BGP routing information may serve AS authentication information.
S220, the first network device determines a target area to which the first BGP routing information belongs according to the verification information.
Optionally, the first network device uses a target area to which the first original AS belongs AS a target area to which the first BGP routing information belongs. Illustratively, the target area includes an area, an area association, or a combination of an area and an area association. For example, the first network device may use an area to which the original AS carried in the first BGP routing information belongs AS the area to which the first BGP routing information belongs, or the first network device may use an area federation to which the original AS carried in the first BGP routing information belongs AS the area to which the first BGP routing information belongs, or the first network device may use a combination of the area to which the original AS carried in the first BGP routing information belongs and the area federation AS the area to which the first BGP routing information belongs.
In connection with the network scenario shown in fig. 3A, the first network device may be PE1 in an ISP1 backbone, the second network device may be PE4 in an ISP2 backbone or PE5 in an external ISP, and PE1 is connected to PE4 or PE5 through BGP. A server (not shown in fig. 3A) accessed by PE4 in the backbone of ISP2 has a server address of 10.1.0.0/16, and publishes BGP routing information 1 to an external AS, where a BGP prefix included in BGP routing information 1 is 10.1.0.0/16, an original AS carried in BGP routing information 1 is AS4, and AS4 is used AS verification information. When PE1 in the backbone of ISP1 receives BGP routing information 1 from PE4, PE1 determines, according to AS4 in BGP routing information 1 and in combination with the obtained area information, that the area to which AS4 belongs is area 2, and then the area to which BGP routing information 1 belongs is area 2.
If PE5 in the external ISP belonging to AS100 forges the more accurate BGP routing information 2 of the server, including a BGP prefix of 10.1.1.0/24, the original AS carried by the BGP routing information 2 is AS 4. The external ISP issues the forged BGP routing information 2 to the PE1 in the ISP1 backbone, and the PE1 determines, according to the AS4 in the BGP routing information 2 and in combination with the obtained area information, that the area to which the AS4 belongs is area 2, and then the area to which the BGP routing information 2 belongs is area 2.
In combination with the network scenario shown in fig. 3B, a server (not shown in fig. 3B) accessed by PE4 in the backbone of ISP2 has a server address of 10.1.0.0/16, and the server issues BGP routing information 1 to an external AS, where a BGP prefix included in BGP routing information 1 is 10.1.0.0/16, an original AS carried in BGP routing information 1 is AS4, and AS4 is used AS verification information. When PE1 in the backbone of ISP1 receives BGP routing information 1 from PE4, PE1 determines, according to AS4 in BGP routing information 1 and in combination with the obtained area information, that the area to which AS4 belongs is area federation 1, and then the area to which BGP routing information 1 belongs is area federation 1.
If PE5 in the external ISP belonging to AS100 forges the more accurate BGP routing information 2 of the server, including a BGP prefix of 10.1.1.0/24, the original AS carried by the BGP routing information 2 is AS 4. The external ISP issues the forged BGP routing information 2 to the PE1 in the ISP1 backbone, and the PE1 determines, according to the AS4 in the BGP routing information 2 and in combination with the obtained area information, that the area to which the AS4 belongs is the area federation 1, and then the area to which the routing information 2 belongs is the area federation 1.
S230, when the target area to which the first BGP routing information belongs is the same as the target area to which the second network device belongs, the first network device learns the first BGP routing information.
AS described above, the method provided by the embodiment of the present application divides a plurality of ASs in a network into different areas and/or area alliances. Furthermore, the method checks the received routing information, and only the routing information passing the check is learned. Routing information in the forbidden area is learned from outside the area, and routing information in the forbidden area is learned from outside the area federation. The rule for the network device to check the BGP routing information is as follows: for the routing information belonging to the local area, the routing information received from the neighbor of the non-local area is invalid or suspicious, and for the routing information belonging to the local area alliance, the routing information received from the neighbor of the non-local area alliance is invalid or suspicious.
Therefore, after acquiring the first BGP routing information from the second network device, the first network device first checks the BGP routing information, and specifically, compares the target area to which the first BGP routing information belongs with the target area to which the source device of the BGP routing information, that is, the second network device, belongs. Since the first network device and the second network device communicate with each other through the BGP, after the BGP neighbor between the first network device and the second network device is established, the source device of the first BGP routing information received through the BGP neighbor is necessarily the second network device. And then, the first network equipment can determine the target area to which the second network equipment belongs according to the identification information and the area information of the second network equipment.
Illustratively, when the target area to which the second network device belongs is the same as the target area to which the first BGP routing information belongs, the first network device learns the first BGP routing information, e.g., the first network device adds the first BGP routing information to a routing table of the first network device.
In one example, the first network device does not maintain the first BGP routing information when the target region to which the second network device belongs is different from the target region to which the first BGP routing information belongs. For example, the local area BGP routing information learned from the non-local area neighbors is discarded to ensure network security.
In one example, when the target region to which the second network device belongs is not the same as the target region to which the first BGP routing information belongs, the first network device may set the first BGP routing information to a low priority, e.g., set the first BGP routing information to a lower priority. Because the priority of the first BGP routing information is lower, other routes with higher priorities are preferentially used in the routing process, the BGP routing information is prevented from being preferentially selected, and therefore the network security is ensured. The setting of the first BGP routing information to the low priority may be setting the priority of the first BGP routing information to a first priority, where the first priority is lower than a second priority, and the priority of the second BGP routing information is the second priority.
In connection with the network scenario shown in fig. 3A, the first network device may be PE1 in an ISP1 backbone, the second network device may be PE4 in an ISP2 backbone or PE5 in an external ISP, and PE1 is connected to PE4 or PE5 through BGP. A server (not shown in fig. 3A) accessed by PE4 in the backbone of ISP2 has a server address of 10.1.0.0/16, and publishes BGP routing information 1 to an external AS, where a BGP prefix included in BGP routing information 1 is 10.1.0.0/16, and an original AS carried in BGP routing information 1 is AS 4. When PE1 in the ISP1 backbone receives BGP routing information 1 from PE4, PE1 determines that the area to which AS4 belongs is area 2, and the area to which BGP routing information 1 belongs is area 2. This BGP routing information 1 is received from PE4, and the area to which PE4 belongs is also area 2, which is the same as the area to which BGP routing information 1 belongs. PE1 considers BGP routing information 1 to be secure and reliable and learns BGP routing information 1. For example, the BGP routing information 1 is stored in a routing table, and then routing is performed, the BGP routing information 1 is published, and the BGP routing information 1 is used to forward a packet.
If PE5 in the external ISP belonging to AS100 spoofs the more accurate BGP routing information 2 for that server, including a BGP prefix of 10.1.1.0/24, carrying the original AS of 4. The external ISP distributes the forged BGP routing information 2 to PE1 in the ISP1 backbone, and PE1 determines that the area to which the BGP routing information 2 belongs is area 2. This BGP routing information 2 is received from PE5, and the area to which PE5 belongs is not area 2, but is different from the area to which BGP routing information 2 belongs. PE1 considers BGP routing information 2 to be invalid or suspicious and does not learn BGP routing information 2. For example, the BGP routing information 2 is discarded.
Therefore, the technical scheme provided by the embodiment of the application has the following beneficial effects that: preventing external ISP from hijacking the routing information of the area where the ISP belongs by means of forging the routing information; preventing external ISP from hijacking the routing information of the regional alliance of the ISP in a way of forging the routing information; the security of the network is improved.
In one example, before the first network device determines a target area to which BGP routing information belongs using an original AS carried by the BGP routing information, the first network device performs ROA verification on the original AS. Specifically, the first network device determines whether the first original AS is the same AS an original AS corresponding to the BGP routing information, which is obtained from routing origin authorized ROA data. And if the two are the same, the first network equipment further determines a target area to which the BGP routing information belongs by using the first original AS. If the two are different, it indicates that the first original AS may be forged, and the BGP routing information may also be forged, and the first network device may directly perform processing of discarding or setting the BGP routing information to a lower priority, without performing verification of the target area to which the BGP routing information belongs.
Illustratively, the ROA data may be locally stored by the first network device establishing a connection with the RPKI server. For example, the first network device receives ROA data from the RPKI server and builds a route verification database locally from the received ROA data.
It should be noted that, after the first network device determines that the first original AS obtained through the BGP routing information from the second network device is the same AS the second original AS corresponding to the BGP routing information obtained from the routing origin authorization ROA data, the first network device further determines whether the target area to which the second network device belongs is the same AS the target area to which the BGP routing information belongs, thereby further improving network security. In addition, since an area may contain multiple ases, the area is matched, and it may be that the original AS of the route is another AS in the area, there may still be a case that the original AS is not consistent with the real original AS. In contrast, in the method provided in this embodiment of the present application, the first network device may further determine whether the target area to which the second network device belongs is the same AS the target area to which the BGP routing information belongs, and after the target area to which the second network device belongs is the same AS the target area to which the BGP routing information belongs, the first network device determines whether a first original AS acquired through the BGP routing information from the second network device is the same AS a second original AS acquired from the routing origin authorized ROA data and corresponding to the BGP routing information, so AS to further improve network security.
Illustratively, when the first network device determines that the target area to which the second network device belongs is different from the target area to which the BGP routing information belongs, the BGP routing information may be directly discarded or the BGP routing information may be directly prioritized without determining whether the first original AS obtained through the BGP routing information from the second network device is the same AS the second original AS corresponding to the BGP routing information obtained from the routing origin authorization ROA data. The route learning efficiency can be improved while the network security is ensured.
The embodiment of the application does not limit whether a first original AS acquired through BGP routing information from second network equipment is the same AS a second original AS acquired from ROA data and corresponding to the BGP routing information, or whether a target area to which the second network equipment belongs is the same AS a target area to which the BGP routing information belongs. The method and the device can further improve network security by determining whether a first original AS acquired through BGP routing information from the second network device is the same AS a second original AS corresponding to the BGP routing information acquired from ROA data, and determining whether a target area to which the second network device belongs is the same AS a target area to which the BGP routing information belongs.
The embodiment of the application provides a method for forwarding a message and equipment and a system based on the method. Embodiments of the method, apparatus and system may be referred to one another and, where the same or similar elements are not described in detail.
Referring to fig. 5, an embodiment of the present application provides a method for forwarding a packet. The method is applied to a first network device in a BGP-based network, wherein the first network device comprises a network interface, and the method comprises the following steps:
s310, the first network device receives the message through the network interface.
S320, the first network equipment determines the target area of the message according to the source address of the message.
The source address of the packet may correspond to specific BGP routing information, and specifically, the source address may be matched to a BGP prefix in the BGP routing information according to a longest matching rule, or traffic sent to the source address may be routed using the BGP routing information. The original AS may be carried in the particular BGP routing information.
Optionally, the first network device uses a target area to which the original AS carried in the BGP routing information belongs AS a target area to which the packet belongs. Illustratively, the target area includes an area, an area association, or a combination of an area and an area association. For example, the first network device may use an area to which the original AS carried in the BGP routing information belongs AS an area to which the packet belongs, or the first network device may use an area federation to which the original AS carried in the BGP routing information belongs AS an area to which the packet belongs, or the first network device may use a combination of the area to which the original AS carried in the BGP routing information belongs and the area federation AS an area to which the packet belongs.
In connection with the network scenario shown in fig. 3A, the first network device may be PE1 in an ISP1 backbone, the second network device may be PE4 in an ISP2 backbone or PE5 in an external ISP, and PE1 is connected to PE4 or PE5 through BGP. A server (not shown in fig. 3A) accessed by PE4 in the backbone of ISP2 has a server address of 10.1.0.0/16, and publishes BGP routing information 1 to an external AS, where a BGP prefix included in BGP routing information 1 is 10.1.0.0/16, and an original AS carried in BGP routing information 1 is AS 4. The PE1 in the backbone of the ISP1 establishes a connection with the PE4 through the network interface a, so that the PE1 receives BGP routing information 1 from the PE4 through the network interface a, and the PE1 may also receive a message 1 sent by a server from the PE4, where a source address of the message 1 is a server address 10.1.0.0/16. The PE1 determines, according to the source address of the packet 1, that BGP routing information corresponding to the source address is routing information 1, and determines, according to the AS4 in the BGP routing information 1, in combination with the obtained area information, that the area to which the AS4 belongs is area 2, and then the area to which the packet 1 belongs is area 2.
If the message sent by the server is hijacked by PE5 in the external ISP belonging to AS100 and PE4 establishes a connection with PE5 through network interface B, PE4 receives from PE5 through network interface B the message 2 sent by the server, where the source address of the message 2 is server address 10.1.0.0/16. The PE1 still determines, according to the source address of the packet 2, that the routing information corresponding to the source address is BGP routing information 1, and determines, according to the AS4 in the BGP routing information 1, in combination with the obtained area information, that the area to which the AS4 belongs is area 2, and then the area to which the packet 2 belongs is area 2.
S330, when the target area to which the network interface belongs is the same as the target area to which the message belongs, the first network equipment forwards the message.
AS described above, the method provided by the embodiment of the present application divides a plurality of ASs in a network into different areas and/or area alliances. Furthermore, the method checks the received message, and forwards the message passing the check. The message in the forbidden area is received from the outside of the area, and the message in the forbidden area alliance is received from the outside of the area alliance, so that the network security is improved. The rules for the network device to check the message are as follows: for the message of the local area, the access from the non-local area interface is forbidden; and for the local area alliance message, forbidding to come in and go out from the non-local area alliance interface.
Therefore, after the first network device receives the message through the network interface, the message is checked first. Specifically, the first network device compares a target area to which the packet belongs with a target area to which a network interface that receives the packet belongs. For example, the target area to which the network interface receiving the packet belongs is a target area to which other network devices, such as a second network device, to which the first network device is connected through the network device belongs.
Illustratively, when the target area to which the message belongs is the same as the target area to which the network interface receiving the message belongs, the first network device forwards the message.
In one example, when a target area to which a packet belongs is different from a target area to which a network interface that receives the packet belongs, the first network device discards the packet, or records the packet, so as to ensure network security.
In connection with the network scenario shown in fig. 3A, the first network device may be PE1 in an ISP1 backbone, the second network device may be PE4 in an ISP2 backbone or PE5 in an external ISP, and PE1 is connected to PE4 or PE5 through BGP. The address of a server (not shown in fig. 3A) accessed by the PE4 in the ISP2 backbone may be 10.1.0.0/16, and the PE1 in the ISP1 backbone receives a message 1 sent by the server from the PE4 through the network interface a, where the source address of the message 1 is the server address 10.1.0.0/16. The PE1 determines that the area to which the message 1 belongs is area 2 according to the source address of the message 1. PE1 is connected to PE4 via network interface a, and if the area to which PE4 belongs is area 2, the area to which network interface a belongs is area 2. Therefore, the area to which the message 1 belongs is the same as the area to which the network interface receiving the message 1 belongs, and the PE1 considers that the message 1 is safe and reliable, and forwards the message 1.
If the message 2 sent by the server is hijacked by the PE5 in the external ISP belonging to the AS100 and the PE4 establishes a connection with the PE5 through the network interface B, the PE4 receives the message 2 sent by the server from the PE5 through the network interface B, and the source address of the message 2 is the server address 10.1.0.0/16. PE1 determines that the region to which message 2 belongs is region 2. PE1 is connected to PE5 via network interface B, and if the area to which PE5 belongs is not area 2, the area to which network interface B belongs is not area 2. Therefore, the area to which the packet 2 belongs is different from the area to which the network interface receiving the packet 2 belongs, and the PE1 considers that the packet 2 is suspicious and does not forward the packet 1.
Therefore, the technical scheme provided by the embodiment of the application has the following beneficial effects that: preventing an external ISP from hijacking the message of the region to which the ISP belongs; preventing the external ISP from hijacking the message of the regional alliance to which the ISP belongs; the network security is improved.
In one example, before the first network device determines a target area to which a packet belongs by using an original AS carried by BGP routing information, the first network device performs ROA verification on the original AS. Specifically, the first network device determines whether the first original AS is the same AS an original AS corresponding to the BGP routing information, which is obtained from routing origin authorized ROA data. And if the two are the same, the first network equipment further determines the target area to which the message belongs by using the first original AS. If the two are different, it indicates that the first original AS may be forged, and the BGP routing information may also be forged, and the first network device cannot determine the target area to which the packet belongs using the original AS.
Illustratively, the ROA data may be locally stored by the first network device establishing a connection with the RPKI server.
It should be noted that, after the first network device determines that the first original AS to which the source address of the packet obtained through the packet belongs is the same AS the second original AS, the first network device determines whether the target area to which the network interface belongs is the same AS the target area to which the packet belongs. In the method provided in this embodiment, the first network device may further determine whether a target area to which the network interface belongs is the same AS a target area to which the packet belongs, and after the target area to which the network interface belongs is the same AS the target area to which the packet belongs, the first network device determines whether a first original AS and a second original AS to which a source address of the packet acquired through the packet belongs are the same. Illustratively, when the first network device determines that the target area to which the network interface belongs is different from the target area to which the packet belongs, the packet may be directly discarded without determining whether the first original AS and the second original AS to which the source address of the packet acquired through the packet belongs are the same.
The method and the device do not limit whether a target area to which a network interface belongs is the same AS a target area to which a message belongs, or whether a first original AS to which a source address of the message acquired through the message belongs is the same AS a second original AS. Not only is it determined whether the target area to which the network interface belongs is the same AS the target area to which the message belongs, but also whether the first original AS to which the source address of the message acquired through the message belongs is the same AS the second original AS is determined, so that the network security can be further improved.
In an exemplary embodiment, an apparatus for learning a route is provided, where the apparatus is applied in a first network device in a BGP-based network, and the network further includes a second network device, and the first network device communicates with the second network device through BGP, as shown in fig. 6, the apparatus includes:
an obtaining unit 801, configured to obtain first BGP routing information from a second network device, where the first BGP routing information includes verification information;
a processing unit 802, configured to determine, according to the verification information, a target area to which the first BGP routing information belongs; and when the target area to which the first BGP routing information belongs is the same as the target area to which the second network equipment belongs, learning the first BGP routing information.
In an exemplary embodiment, an apparatus for forwarding a packet is provided, where the apparatus is applied in a first network device in a border gateway protocol BGP-based network, where the first network device includes a network interface, as shown in fig. 7, the apparatus includes:
an obtaining unit 1001, configured to receive a message through a network interface, where the message includes a source address;
a processing unit 1002, configured to determine, according to the source address, a target area to which the packet belongs;
a forwarding unit 1003, configured to forward the packet when the target area to which the network interface belongs is the same as the target area to which the packet belongs.
It should be understood that the apparatus provided in fig. 6 or fig. 7 is only illustrated by the division of the functional modules when the functions of the apparatus are implemented, and in practical applications, the functions may be distributed and performed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Fig. 8 shows another possible schematic structure of the network device involved in the above embodiments. The network device 1200 includes: a processor 1202, a network interface 1203, a memory 1201, and a bus 1204. Wherein,
a memory 1201 for storing instructions; in the case of implementing the embodiment shown in fig. 6, and in the case where each unit described in the embodiment of fig. 6 is implemented by software, software or program codes necessary for executing the functions of each unit in fig. 6 are stored in the memory 1201.
A processor 1202 for executing instructions in the memory 1201 to perform the above-described method applied to learning routing in the embodiment shown in fig. 4; the processor 1202 may be a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic, hardware components, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the application. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.
A network interface 1203 for communicating with other network devices. The network interface 1203 may be an ethernet (ethernet) interface or an Asynchronous Transfer Mode (ATM) interface, or the like.
The network interface 1203, the processor 1202, and the memory 1201 are connected to each other by a bus 1204; the bus 1204 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
In a particular embodiment, the processor 1202 is configured to execute the instructions in the memory 1201 to cause the network device 1200 to obtain first BGP routing information from the second network device, where the first BGP routing information includes authentication information; determining the area to which the first BGP routing information belongs according to the verification information; and when the area to which the first BGP routing information belongs is the same as the area to which the second network equipment belongs, learning the first BGP routing information. For a detailed processing procedure of the processor 1202, please refer to the detailed description of the procedures S210, S220, and S230 in the embodiment shown in fig. 4, which is not described herein again.
The network interface 1203 is used for the network device 1200 to receive routing information and send and receive messages through the network system. For a specific process, please refer to the detailed description of S210, S220, and S230 in the embodiment shown in fig. 4, which is not repeated herein.
Fig. 9 shows another possible schematic structure of the network device involved in the above embodiments. The network device 1300 includes: a master control board 1301 and an interface board 1302. The main control board 1301 includes: a processor 1303 and a memory 1304. The interface board 1302 includes: a processor 1305, a memory 1306, and an interface card 1307. The master control board 1301 and the interface board 1302 are coupled.
These hardware may implement the corresponding functions of the network device in the embodiment shown in fig. 4, for example, the memory 1306 is used for storing the program codes of the interface board 1302, and the processor 1305 is used for calling the program codes in the memory 1306 to trigger the interface card 1307 to execute the various information receiving and transmitting operations performed by the network device in the above-described method embodiments. The memory 1304 may be configured to store the program code of the main control board 1301, and the processor 1303 is configured to call the program code in the memory 1304 to perform other processing except for information transceiving of the network device in the foregoing method embodiment.
For example, the processor 1305 is configured to trigger the interface card 1307 to obtain first BGP routing information from the second network device, where the first BGP routing information includes authentication information; the processor 1303 determines a target area to which the first BGP routing information belongs according to the verification information; and when the target area to which the first BGP routing information belongs is the same as the target area to which the second network equipment belongs, learning the first BGP routing information. A memory 1304 for storing program codes and data of the main control board 1301; a memory 1306 for storing program codes and data of the interface board 1302.
In one example, an IPC channel is established between the main control board 1301 and the interface board 1302, and the main control board 1301 and the interface board 1302 communicate with each other through the IPC channel. For example, the main control board 1301 receives BGP routing information or packets from the interface board 1302 through IPC channels.
The network device 1300 may be a router or a switch or a network device with a forwarding function, and the network device 1300 can implement the functions of the network device in the embodiment shown in fig. 4, and specific execution steps may refer to the foregoing method embodiments, which are not described herein again.
Fig. 10 shows a schematic diagram of a possible structure of the network device involved in the foregoing embodiments, and the network device 1500 includes: a processor 1502, a network interface 1503, a memory 1501, and a bus 1504. Wherein,
a memory 1501 for storing instructions; in the case where the embodiment shown in fig. 7 is implemented and the units described in the embodiment of fig. 7 are implemented by software, software or program codes necessary for executing the functions of the units in fig. 7 are stored in the memory 1501.
A processor 1502 for executing the instructions in the memory 1501 to execute the message forwarding method applied to the embodiment shown in fig. 7; the processor 1502 may be a Central Processing Unit (CPU), a general purpose processor, a Digital Signal Processor (DSP), an application-specific integrated circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic, hardware components, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure of the embodiments of the application. A processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, a DSP and a microprocessor, or the like.
A network interface 1503 for communicating with other network devices. The network interface 1503 may be an ethernet (ethernet) interface or an Asynchronous Transfer Mode (ATM) interface, or the like.
The network interface 1503, the processor 1502, and the memory 1501 are connected to each other by a bus 1504; the bus 1504 may be a PCI bus or an EISA bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 10, but this is not intended to represent only one bus or type of bus.
In a particular embodiment, the processor 1502 is configured to execute the instructions in the memory 1501 to cause the network device 1500 to receive a message via the network interface, the message including a source address; determining a target area to which the message belongs according to the source address; and when the target area to which the network interface belongs is the same as the target area to which the message belongs, forwarding the message. For a detailed processing procedure of the processor 1502, please refer to the detailed description of the procedures S310, S320, and S330 in the embodiment shown in fig. 5, which is not described herein again.
The network interface 1503 is used for the network device 1500 to send and receive messages through the network system. For a specific process, please refer to the detailed description of S310, S320, and S330 in the embodiment shown in fig. 5, which is not repeated herein.
Fig. 11 shows another possible schematic structure diagram of the network device involved in the above embodiment. The network device 1600 includes: a main control board 1601 and an interface board 1602. The main control board 1601 includes: a processor 1603 and a memory 1604. The interface board 1602 includes: a processor 1605, a memory 1606, and an interface card 1607. The main control board 1601 is coupled to the interface board 1602.
These hardware may implement the corresponding functions of the network device in the embodiment shown in fig. 5, for example, the memory 1606 is used for storing the program code of the interface board 1602, and the processor 1605 is used for calling the program code in the memory 1606 to trigger the interface card 1607 to perform various information receiving and transmitting performed by the network device in the above-described method embodiment. The memory 1604 may be used for storing the program code of the main control board 1601, and the processor 1603 is used for calling the program code in the memory 1604 to perform other processing of the network device except for information transceiving in the above method embodiments.
For example, the processor 1605 is configured to trigger the interface card 1607 to receive a message through the network interface, where the message includes a source address; when the target area to which the network interface belongs is the same as the target area to which the message belongs, forwarding the message; processor 1603 is configured to determine a target area to which the packet belongs according to the source address. A memory 1604 for storing program codes and data of the main control board 1601; a memory 1606 for storing program codes and data of the interface board 1602.
In one example, an IPC channel is established between the main control board 1601 and the interface board 1602, and the main control board 1601 and the interface board 1602 communicate with each other by using the IPC channel. For example, the main control board 1601 receives BGP routing information or messages from the interface board 1602 through IPC channels.
Network device 1600 may be a router or a switch or a network device with a forwarding function, where network device 1600 can implement the functions of the network device in the embodiment shown in fig. 5, and specific execution steps may refer to the foregoing method embodiments, which are not described herein again.
The present application further provides a non-transitory storage medium for storing software instructions used in the foregoing embodiments, which includes a program for executing the method shown in the foregoing embodiments, and when the program is executed on a computer or a network device, the computer or the network device is caused to execute the method in the foregoing method embodiments.
Embodiments of the present application also provide a computer program product comprising computer program instructions, which, when run on a network node, cause the network node to perform the method in the aforementioned method embodiments.
The first mentioned in the embodiments of the present application in the first network device is only used for name identification, and does not represent the first in sequence. The same applies to "second" and "third", etc.
It should be noted that any of the above-described device embodiments are merely schematic, where units illustrated as separate components may or may not be physically separate, and components illustrated as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiments of the network node provided by the present application, a connection relationship between modules indicates that there is a communication connection therebetween, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
The steps of a method or algorithm described in the disclosure of the embodiments of the present application may be implemented in hardware, or may be implemented by a processor executing software instructions. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash memory, Read Only Memory (ROM), Erasable Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), a hard disk, a removable hard disk, an optical disk, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a network node. Of course, the processor and the storage medium may reside as discrete components in a network node.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above embodiments are provided to explain the purpose, technical solutions and advantages of the present application in further detail, and it should be understood that the above embodiments are merely illustrative of the present application and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.

Claims (26)

1. A method for learning routing, the method being applied in a first network device in a Border Gateway Protocol (BGP) -based network, the network further including a second network device, the first network device communicating with the second network device through BGP, the method comprising:
the first network equipment acquires first BGP routing information from the second network equipment, wherein the first BGP routing information comprises verification information; the first network equipment determines a target area to which the first BGP routing information belongs according to the verification information;
when the target area to which the first BGP routing information belongs is the same as the target area to which the second network device belongs, the first network device learns the first BGP routing information.
2. The method of claim 1, further comprising:
when the target area to which the first BGP routing information belongs is different from the target area to which the second network device belongs, the first network device discards the first BGP routing information, or sets the priority of the first BGP routing information to a first priority, where the first priority is lower than a second priority, and the priority of the second BGP routing information is the second priority, and the target area to which the second BGP routing information belongs is the same as the target area to which the second network device belongs.
3. The method of claim 1 or 2, wherein the verification information comprises a first original Autonomous System (AS), and wherein the determining, by the first network device, the target area to which the first BGP routing information belongs according to the verification information comprises:
and the first network equipment takes the target area to which the first original AS belongs AS the target area to which the first BGP routing information belongs.
4. The method of claim 3, further comprising:
the first network equipment obtains area information, wherein the area information comprises a mapping relation between identification information of the second network equipment and a target area to which the second network equipment belongs, and a mapping relation between the first original AS and the target area to which the first original AS belongs;
the first network equipment determines a target area to which the second network equipment belongs according to the identification information of the second network equipment and the area information;
and the first network equipment determines a target area to which the first original AS belongs according to the first original AS and the area information.
5. The method of claim 3, wherein before the first network device treats a target area to which the first original AS belongs AS a target area to which the first BGP routing information belongs, the method further comprises:
and the first network equipment determines that the first original AS is the same AS a second original AS, wherein the second original AS is the original AS corresponding to the first BGP routing information and acquired from routing origin authorized ROA data.
6. The method of any of claims 1-4, wherein the target area comprises an area, an area federation, or a combination of an area and an area federation.
7. A method for forwarding a packet, the method being applied to a first network device in a BGP-based network, the first network device including a network interface, the method comprising:
the first network equipment receives a message through the network interface, wherein the message comprises a source address;
the first network equipment determines a target area to which the message belongs according to the source address;
and when the target area to which the network interface belongs is the same as the target area to which the message belongs, the first network equipment forwards the message.
8. The method of claim 7, further comprising:
when the target area to which the network interface belongs is different from the target area to which the message belongs, the first network device discards the message, or the first network device records the message.
9. The method of claim 7 or 8, wherein the source address corresponds to first BGP routing information, the first BGP routing information further includes a first original autonomous system AS, and the determining, by the first network device, the target area to which the packet belongs according to the source address includes:
and the first network equipment takes the target area to which the first original AS belongs AS the target area to which the message belongs.
10. The method of claim 9, wherein the network further comprises a second network device, wherein the first network device communicates with the second network device via BGP, and wherein the first network device connects to the second network device via the network interface, the method further comprising:
the first network device obtains area information, where the area information includes a mapping relationship between identification information of the second network device and a target area to which the network interface belongs, and a mapping relationship between the first original AS and the target area to which the first original AS belongs;
the first network equipment determines a target area to which the network interface belongs according to the identification information of the second network equipment and the area information;
and the first network equipment determines a target area to which the first original AS belongs according to the first original AS and the area information.
11. The method according to claim 9 or 10, wherein before the first network device takes the target area to which the first original AS belongs AS the target area to which the packet belongs, the method further comprises:
the first network device determines that the first original AS is the same AS a second original AS, and the second original AS is an original AS to which the source address acquired from Routing Origin Authorization (ROA) data belongs.
12. An apparatus for learning routing, the apparatus being applied in a first network device in a Border Gateway Protocol (BGP) -based network, the network further comprising a second network device, the first network device communicating with the second network device through BGP, the apparatus comprising:
an obtaining module, configured to obtain first BGP routing information from the second network device, where the first BGP routing information includes verification information;
and the processing module is used for determining a target area to which the first BGP routing information belongs according to the verification information, and learning the first BGP routing information when the target area to which the first BGP routing information belongs is the same as the target area to which the second network equipment belongs.
13. The apparatus of claim 12,
the processing module is further configured to discard the first BGP routing information when the target area to which the first BGP routing information belongs is different from the target area to which the second network device belongs, or set a priority of the first BGP routing information to a first priority, where the first priority is lower than a second priority, and a priority of the second BGP routing information is the second priority, and the target area to which the second BGP routing information belongs is the same as the target area to which the second network device belongs.
14. The apparatus according to claim 12 or 13, wherein said authentication information comprises a first original autonomous System, AS,
the processing module is further configured to use a target area to which the first original AS belongs AS a target area to which the first BGP routing information belongs.
15. The apparatus of claim 14,
the obtaining module is further configured to obtain area information, where the area information includes a mapping relationship between identification information of the second network device and a target area to which the second network device belongs, and a mapping relationship between the first original AS and the target area to which the first original AS belongs;
the processing module is further configured to determine a target area to which the second network device belongs according to the identification information of the second network device and the area information;
the processing module is further configured to determine a target area to which the first original AS belongs according to the first original AS and the area information.
16. The apparatus of claim 14,
the processing module is further configured to determine that the first original AS is the same AS a second original AS, where the second original AS is an original AS corresponding to the first BGP routing information and acquired from routing origin authorization, ROA, data.
17. The apparatus of any of claims 12-16, wherein the target area comprises an area, an area federation, or a combination of an area and an area federation.
18. An apparatus for forwarding a packet, the apparatus being applied in a first network device in a Border Gateway Protocol (BGP) -based network, the first network device including a network interface, the apparatus comprising:
an obtaining module, configured to receive a message through the network interface, where the message includes a source address;
the processing module is used for determining a target area to which the message belongs according to the source address;
and the forwarding module is used for forwarding the message when the target area to which the network interface belongs is the same as the target area to which the message belongs.
19. The apparatus of claim 18,
the forwarding module is further configured to discard the packet or record the packet when the target area to which the network interface belongs is different from the target area to which the packet belongs.
20. The apparatus of claim 18 or 19, wherein the source address corresponds to first BGP routing information, the first BGP routing information further comprising a first original Autonomous System (AS),
the processing module is further configured to use a target area to which the first original AS belongs AS a target area to which the packet belongs.
21. The apparatus of claim 20, wherein the network further comprises a second network device, wherein the first network device communicates with the second network device via BGP, and wherein the first network device connects to the second network device via the network interface;
the obtaining module is further configured to obtain area information, where the area information includes a mapping relationship between identification information of the second network device and a target area to which the network interface belongs, and a mapping relationship between the first original AS and the target area to which the first original AS belongs;
the processing module is further configured to determine a target area to which the network interface belongs according to the identification information of the second network device and the area information, and determine a target area to which the first original AS belongs according to the first original AS and the area information.
22. The apparatus of claim 20 or 21,
the processing module is further configured to determine that the first original AS is the same AS a second original AS, where the second original AS is an original AS to which the source address obtained from the routing origin authorization ROA data belongs.
23. An apparatus for learning a route, the apparatus comprising:
a memory and a processor, the memory having stored therein at least one instruction, the at least one instruction being loaded and executed by the processor to implement the method of learning routing of any of claims 1-6.
24. A computer-readable storage medium having stored therein at least one instruction which is loaded and executed by a processor to implement the method of learning routing according to any one of claims 1-6.
25. An apparatus for forwarding a packet, the apparatus comprising:
a memory and a processor, the memory having stored therein at least one instruction, the at least one instruction being loaded and executed by the processor to implement the method of forwarding a packet according to any of claims 7-11.
26. A computer-readable storage medium having stored thereon at least one instruction which is loaded and executed by a processor to implement the method of forwarding a packet according to any one of claims 7-11.
CN201910988765.3A 2019-08-15 2019-10-17 Method for learning routing, method for forwarding message, equipment and storage medium Active CN112398741B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP20852148.4A EP4016941A4 (en) 2019-08-15 2020-08-14 Method for learning routing, method for forwarding report, device, and storage medium
PCT/CN2020/109315 WO2021027941A1 (en) 2019-08-15 2020-08-14 Method for learning routing, method for forwarding report, device, and storage medium
US17/671,695 US11799756B2 (en) 2019-08-15 2022-02-15 Route learning method, packet forwarding method and device, and storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910754931 2019-08-15
CN2019107549313 2019-08-15

Publications (2)

Publication Number Publication Date
CN112398741A true CN112398741A (en) 2021-02-23
CN112398741B CN112398741B (en) 2023-09-05

Family

ID=74603703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910988765.3A Active CN112398741B (en) 2019-08-15 2019-10-17 Method for learning routing, method for forwarding message, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112398741B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765803A (en) * 2021-08-05 2021-12-07 新华三大数据技术有限公司 Route publishing method and device and network equipment
CN114244575A (en) * 2021-11-24 2022-03-25 中盈优创资讯科技有限公司 Automatic route hijacking blocking method and device
WO2022199566A1 (en) * 2021-03-25 2022-09-29 华为技术有限公司 Routing verification method, apparatus and device, data sending method, apparatus and device, and storage medium
WO2023070627A1 (en) * 2021-10-30 2023-05-04 华为技术有限公司 Route processing method and network device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588343A (en) * 2008-05-20 2009-11-25 中国人民解放军信息工程大学 Management method of mapping relation between prefix and autonomous system (AS), message processing method and device
US20100080131A1 (en) * 2008-10-01 2010-04-01 Cisco Technology, Inc., A Corporation Of California Validation of Routes Advertised by Border Gateway Protocol
US20110093612A1 (en) * 2009-10-19 2011-04-21 Ip Infusion Inc. Device, method and computer readable medium for bgp route monitoring
CN102158497A (en) * 2011-05-11 2011-08-17 中国人民解放军国防科学技术大学 IP address filtering method and device
US20110271340A1 (en) * 2010-04-29 2011-11-03 Kddi Corporation Method and apparatus for detecting spoofed network traffic
CN105577669A (en) * 2015-12-25 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Method and device for identifying false source attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588343A (en) * 2008-05-20 2009-11-25 中国人民解放军信息工程大学 Management method of mapping relation between prefix and autonomous system (AS), message processing method and device
US20100080131A1 (en) * 2008-10-01 2010-04-01 Cisco Technology, Inc., A Corporation Of California Validation of Routes Advertised by Border Gateway Protocol
US20110093612A1 (en) * 2009-10-19 2011-04-21 Ip Infusion Inc. Device, method and computer readable medium for bgp route monitoring
US20110271340A1 (en) * 2010-04-29 2011-11-03 Kddi Corporation Method and apparatus for detecting spoofed network traffic
CN102158497A (en) * 2011-05-11 2011-08-17 中国人民解放军国防科学技术大学 IP address filtering method and device
CN105577669A (en) * 2015-12-25 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Method and device for identifying false source attack

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022199566A1 (en) * 2021-03-25 2022-09-29 华为技术有限公司 Routing verification method, apparatus and device, data sending method, apparatus and device, and storage medium
CN113765803A (en) * 2021-08-05 2021-12-07 新华三大数据技术有限公司 Route publishing method and device and network equipment
CN113765803B (en) * 2021-08-05 2023-10-24 新华三大数据技术有限公司 Route release method and device and network equipment
WO2023070627A1 (en) * 2021-10-30 2023-05-04 华为技术有限公司 Route processing method and network device
CN114244575A (en) * 2021-11-24 2022-03-25 中盈优创资讯科技有限公司 Automatic route hijacking blocking method and device

Also Published As

Publication number Publication date
CN112398741B (en) 2023-09-05

Similar Documents

Publication Publication Date Title
CN112398741B (en) Method for learning routing, method for forwarding message, equipment and storage medium
CN113285882B (en) Message processing method, device and related equipment
US8121134B2 (en) Spoof checking within a label switching computer network
US9032504B2 (en) System and methods for an alternative to network controller sideband interface (NC-SI) used in out of band management
CN114389993B (en) Routing processing method and network equipment
US11799756B2 (en) Route learning method, packet forwarding method and device, and storage medium
US20230396624A1 (en) Extending border gateway protocol (bgp) flowspec origination authorization using path attributes
CN111385180B (en) Communication tunnel construction method, device, equipment and medium
CN107690004A (en) The processing method and processing device of address analysis protocol message
CN117501671A (en) Border Gateway Protocol (BGP) FlowSpec-initiated authorization using route source authorization (ROA)
CN111953798A (en) Cross-network communication method, device and system and proxy server
US20240022602A1 (en) Method and Apparatus for Route Verification and Data Sending, Device, and Storage Medium
JP6683480B2 (en) Communication device and communication system
WO2024193420A1 (en) Validation information sending method and apparatus, validation table entry acquisition method and apparatus, and device
CN115208600A (en) Method, device, equipment and storage medium for route verification and data transmission
CN113872861B (en) Method for generating table item, method and equipment for sending message
CN111917746B (en) Routing protocol access authentication method, device and medium
WO2024012100A1 (en) Access control method, electronic device and storage medium
CN116866055B (en) Method, device, equipment and medium for defending data flooding attack
EP3157212A1 (en) Packet processing method and device, and line card
CN117318947A (en) Message verification method, device, related equipment and storage medium
CN117914505A (en) Method and equipment for controlling terminal to safely access Internet and intranet
CN117040817A (en) Authentication method and device
CN118802247A (en) Verification information sending method, verification table item obtaining method, device and equipment
CN116266793A (en) Access control method and related device thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant